A Global Manufacturing Company
A global manufacturing company operating 22 production facilities across 8 countries unified certificate lifecycle management across its OT and IT environments, securing SCADA and OPC UA communications while achieving IEC 62443 compliance for its industrial control systems.
Certificate Management Challenges at the OT/IT Convergence Boundary
OT certificate blind spots across 22 production facilities
The company's operational technology environment included over 1,800 certificates securing SCADA HMI connections, OPC UA server-to-server communications, historian database links, and MES-to-ERP integrations across 22 factories. The IT security team had visibility into corporate network certificates but no inventory of OT certificates — these were managed independently by plant engineers using local CAs, self-signed certificates, and in some cases, certificates that had not been rotated since the control systems were commissioned 8 to 12 years prior. A security assessment revealed that 30% of OT certificates used deprecated SHA-1 signatures and 1024-bit RSA keys.
SCADA certificate management constrained by production schedules
Certificate renewals on SCADA systems and PLCs could not follow standard IT renewal processes. Production lines operated on 24/7 schedules with planned maintenance windows of only 4 to 6 hours per month. Any unplanned certificate change risked disrupting real-time control communications between SCADA servers and field devices, potentially halting production. Plant engineers avoided certificate changes entirely, preferring to extend validity periods or disable certificate validation rather than risk a production stoppage. This created a growing population of expired and non-compliant certificates across the OT environment.
IEC 62443 compliance gaps in certificate and key management
The company's customers — major automotive and aerospace OEMs — required IEC 62443 compliance for industrial control system security. IEC 62443-3-3 SR 1.8 (Public Key Infrastructure Certificates) and SR 1.9 (Strength of Public Key Authentication) mandated proper certificate lifecycle management, key strength requirements, and revocation capabilities. The company could not demonstrate compliance for its OT certificate infrastructure, putting contract renewals with three major customers at risk and blocking qualification for two new automotive programs.
Unified OT/IT Certificate Lifecycle Management with QCecuring
Agentless certificate discovery across OT and IT environments
QCecuring's agentless scanners discovered all certificates across both OT and IT environments — SCADA servers, OPC UA endpoints, historian databases, MES systems, HMI panels, and corporate IT infrastructure across all 22 production facilities. The platform identified 1,800+ OT certificates and mapped their trust relationships, CA sources, key strengths, and expiry timelines. Discovery was performed passively to avoid any disruption to real-time control communications, using network-based scanning that did not require agents on sensitive OT endpoints.
SSL/TLS Certificate Lifecycle ManagementMaintenance-window-aware automated renewal for OT systems
QCecuring's renewal workflows were configured with plant-specific maintenance window schedules. The platform staged certificate renewals in advance, pre-validating new certificates against OT system requirements (key type, signature algorithm, SAN configuration). During the designated maintenance window, automated deployment pushed renewed certificates to SCADA servers, OPC UA endpoints, and HMI systems in a coordinated sequence that maintained communication integrity between dependent systems. Rollback procedures were pre-configured for each deployment target in case of validation failures.
SSL/TLS Certificate Lifecycle ManagementIEC 62443-aligned certificate governance and reporting
The platform enforced certificate policies aligned with IEC 62443-3-3 requirements — minimum RSA 2048 or ECDSA P-256 key strength (SR 1.9), certificates issued only from approved CAs with proper chain validation (SR 1.8), and automated revocation capabilities for compromised certificates. QCecuring generated IEC 62443 compliance reports mapping certificate state to specific security requirements, providing the evidence needed for customer audits and IEC 62443 certification assessments.
SSL/TLS Certificate Lifecycle ManagementMeasurable Impact on OT Security and Compliance
Zero production disruptions
Maintenance-window-aware renewal workflows completed all OT certificate rotations without a single unplanned production disruption over a 12-month period. The coordinated deployment approach eliminated the risk that had previously caused plant engineers to avoid certificate changes entirely.
IEC 62443 compliance achieved
The company demonstrated full compliance with IEC 62443-3-3 SR 1.8 and SR 1.9 requirements for certificate and key management across all 22 production facilities. This secured contract renewals with three major automotive OEM customers and qualified the company for two new aerospace programs.
100% OT certificate visibility
QCecuring's discovery brought all 1,800+ OT certificates under centralized management for the first time, replacing the fragmented plant-by-plant approach. The 30% of certificates using deprecated SHA-1 and 1024-bit RSA were identified and upgraded to compliant configurations during scheduled maintenance windows.
Our OT environment was a certificate management blind spot for years. Plant engineers managed certificates locally, and the IT security team had no visibility into what was deployed on the factory floor. QCecuring bridged that gap without disrupting production — the maintenance-window-aware renewal capability was the key differentiator. We can now demonstrate IEC 62443 compliance to our automotive and aerospace customers with confidence.
Related Products & Industry
More Customer Success Stories
A National Energy Utility
A national energy utility serving 4.2 million customers automated certificate lifecycle management across its SCADA infrastructure and 180 substations, closing NERC CIP audit findings, eliminating certificate-related grid monitoring outages, and achieving unified IT/OT certificate visibility for the first time.
Read case studyA Global Banking Institution
A global banking institution with operations across 12 countries automated certificate lifecycle management for its payment gateway infrastructure, eliminating certificate-related outages and reducing PCI DSS audit preparation time from weeks to hours.
Read case studyA Leading Healthcare System
A leading healthcare system operating 14 hospitals and 200+ outpatient clinics automated certificate lifecycle management across its Epic and Cerner EHR environments, eliminating certificate-related clinical system downtime and reducing HIPAA audit preparation from weeks to hours.
Read case studyFrequently Asked Questions
Does QCecuring require installing agents on SCADA systems or PLCs? +
No. QCecuring uses agentless, network-based scanning to discover certificates on OT endpoints. No software agents are installed on SCADA servers, PLCs, or HMI panels. This approach avoids introducing additional software into the OT environment and eliminates concerns about agent-related disruptions to real-time control systems.
How does the platform handle certificate renewal without disrupting production? +
QCecuring's renewal workflows are configured with plant-specific maintenance window schedules. Certificates are pre-staged and validated before the maintenance window. During the window, automated deployment pushes renewed certificates in a coordinated sequence that maintains communication integrity between dependent OT systems. Rollback procedures are pre-configured for each target in case of deployment issues.
Can QCecuring manage certificates from different CAs used across OT and IT? +
Yes. QCecuring supports multi-CA environments, which is common in manufacturing where OT systems may use internal CAs, vendor-specific CAs, or self-signed certificates while IT uses enterprise CAs. The platform normalizes certificate data from all sources into a unified inventory and can enforce consistent policies regardless of the issuing CA.
Ready to Secure Your Enterprise?
Experience how our cryptographic solutions simplify, centralize, and automate identity management for your entire organization.